Deobfuscate/Decode Files or Information

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. [1] Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. [2]

Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [3]

ID: T1140
Sub-techniques:  No sub-techniques
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Permissions Required: User
Data Sources: File: File Modification, Process: Process Creation, Script: Script Execution
Defense Bypassed: Anti-virus, Host intrusion prevention systems, Network intrusion detection system, Signature-based detection
Contributors: Matthew Demaske, Adaptforward; Red Canary
Version: 1.1
Created: 14 December 2017
Last Modified: 09 July 2020

Procedure Examples

ID Name Description
S0469 ABK

ABK has the ability to decrypt AES encrypted payloads.[4]

S0331 Agent Tesla

Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.[5]

S0584 AppleJeus

AppleJeus has decoded files received from a C2.[6]

G0073 APT19

An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.[7]

G0007 APT28

An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.[8][9]

G0016 APT29

APT29 used 7-Zip to decode its Raindrop malware.[10]

G0087 APT39

APT39 has used malware to decrypt encrypted CAB files.[11]

S0456 Aria-body

Aria-body has the ability to decrypt the loader configuration and payload DLL.[12]

S0373 Astaroth

Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. [13][14]

S0347 AuditCred

AuditCred uses XOR and RC4 to perform decryption on the code functions.[15]

S0473 Avenger

Avenger has the ability to decrypt files downloaded from C2.[4]

S0344 Azorult

Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.[16][17]

S0414 BabyShark

BabyShark has the ability to decode downloaded files prior to execution.[18]

S0475 BackConfig

BackConfig has used a custom routine to decrypt strings.[19]

S0239 Bankshot

Bankshot decodes embedded XOR strings.[20]

S0534 Bazar

Bazar can decrypt downloaded payloads. Bazar also resolves strings and API calls at runtime.[21][22]

S0470 BBK

BBK has the ability to decrypt AES encrypted payloads.[4]

S0127 BBSRAT

BBSRAT uses Expand to decompress a CAB file into executable content.[23]

S0574 BendyBear

BendyBear has decrypted function blocks using a XOR key during runtime to evade detection.[24]

S0268 Bisonal

Bisonal decodes strings in the malware using XOR and RC4.[25]

S0520 BLINDINGCAN

BLINDINGCAN has used AES and XOR to decrypt its DLLs.[26]

S0415 BOOSTWRITE

BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.[27]

G0060 BRONZE BUTLER

BRONZE BUTLER downloads encoded payloads and decodes them on the victim.[28]

S0482 Bundlore

Bundlore has used openssl to decrypt AES encrypted payload data. Bundlore has also used base64 and RC4 with a hardcoded key to deobfuscate data.[29]

S0335 Carbon

Carbon decrypts task and configuration files for execution.[30][31]

S0348 Cardinal RAT

Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.[32]

S0160 certutil

certutil has been used to decode binaries hidden inside certificate files as Base64 information.[1]

S0154 Cobalt Strike

Cobalt Strike can deobfuscate shellcode using a rolling XOR.[33]

S0369 CoinTicker

CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL.[34]

S0126 ComRAT

ComRAT has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. ComRAT has also used a unique password to decrypt the file used for its hidden file system.[35][36]

S0575 Conti

Conti has decrypted its payload using a hardcoded AES-256 key.[37][38]

S0492 CookieMiner

CookieMiner has used Google Chrome's decryption and extraction operations.[39]

G0012 Darkhotel

Darkhotel has decrypted strings and imports using RC4 during execution.[40][41]

S0255 DDKONG

DDKONG decodes an embedded configuration using XOR.[42]

S0354 Denis

Denis will decrypt important strings used for C&C communication.[43]

S0547 DropBook

DropBook can unarchive data downloaded from the C2 to obtain the payload and persistence modules.[44]

S0502 Drovorub

Drovorub has de-obsfuscated XOR encrypted payloads in WebSocket messages.[45]

S0567 Dtrack

Dtrack has used a decryption routine that is part of an executable physical patch.[46]

S0024 Dyre

Dyre decrypts resources needed for targeting the victim.[47][48]

S0377 Ebury

Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.[49]

S0554 Egregor

Egregor has been decrypted before execution.[50][51]

S0401 Exaramel for Linux

Exaramel for Linux can decrypt its configuration file.[52]

S0361 Expand

Expand can be used to decompress a local or remote CAB file into an executable.[53]

S0512 FatDuke

FatDuke can decrypt AES encrypted C2 communications.[54]

S0355 Final1stspy

Final1stspy uses Python code to deobfuscate base64-encoded strings.[55]

S0182 FinFisher

FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.[56][57]

G0101 Frankenstein

Frankenstein has deobfuscated base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.[58]

G0047 Gamaredon Group

Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded base64-encoded source code of a downloader.[59][60]

S0032 gh0st RAT

gh0st RAT has decrypted and loaded the gh0st RAT DLL into memory, once the initial dropper executable is launched.[61]

S0588 GoldMax

GoldMax has decoded and decrypted the configuration file when executed.[62][63]

S0477 Goopy

Goopy has used a polymorphic decryptor to decrypt itself at runtime.[43]

G0078 Gorgon Group

Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.[64]

S0531 Grandoreiro

Grandoreiro can decrypt its encrypted internal strings.[65]

S0499 Hancitor

Hancitor has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files.[66][67]

S0394 HiddenWasp

HiddenWasp uses a cipher to implement a decoding function.[68]

G0126 Higaisa

Higaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.[69][70]

S0601 Hildegard

Hildegard has decrypted ELF files with AES.[71]

G0072 Honeybee

Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.[72]

S0434 Imminent Monitor

Imminent Monitor has decoded malware components that are then dropped to the system.[73]

S0260 InvisiMole

InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.[74][75]

S0581 IronNetInjector

IronNetInjector has the ability to decrypt embedded .NET and PE payloads.[76]

S0189 ISMInjector

ISMInjector uses the certutil command to decode a payload file.[77]

S0487 Kessel

Kessel has decrypted the binary's configuration once the main function was launched.[78]

S0526 KGH_SPY

KGH_SPY can decrypt encrypted strings and write them to a newly created folder.[79]

S0356 KONNI

KONNI has used certutil to download and decode base64 encoded strings.[80]

S0236 Kwampirs

Kwampirs decrypts and extracts a copy of its main DLL payload when executing.[81]

G0065 Leviathan

Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.[82]

S0395 LightNeuron

LightNeuron has used AES and XOR to decrypt configuration files and commands.[83]

S0582 LookBack

LookBack has a function that decrypts malicious data.[84]

S0532 Lucifer

Lucifer can decrypt its C2 address upon execution.[85]

S0409 Machete

Machete’s downloaded data is decrypted using AES.[86]

S0576 MegaCortex

MegaCortex has used a Base64 key to decode its components.[87]

G0045 menuPass

menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT.[88][89]

S0443 MESSAGETAP

After checking for the existence of two files, keyword_parm.txt and parm.txt, MESSAGETAP XOR decodes and read the contents of the files. [90]

S0455 Metamorfo

Upon execution, Metamorfo has unzipped itself after being downloaded to the system.[91][92]

S0280 MirageFox

MirageFox has a function for decrypting data containing C2 configuration information.[93]

G0021 Molerats

Molerats decompresses ZIP files once on the victim machine.[94]

S0284 More_eggs

More_eggs will decode malware components that are then dropped to the system.[95]

G0069 MuddyWater

MuddyWater decoded base64-encoded PowerShell commands using a VBS file.[96][97][98]

S0457 Netwalker

Netwalker's PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the Netwalker DLL being loaded into memory.[99]

S0353 NOKKI

NOKKI uses a unique, custom de-obfuscation technique.[100]

G0049 OilRig

A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.[101][77][102][103]

S0439 Okrum

Okrum's loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.[104]

S0052 OnionDuke

OnionDuke can use a custom decryption algorithm to decrypt strings.[54]

S0264 OopsIE

OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.[102]

S0402 OSX/Shlayer

OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.[105]

S0598 P.A.S. Webshell

P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.[52]

S0517 Pillowmint

Pillowmint has been decompressed by included shellcode prior to being launched.[106]

S0501 PipeMon

PipeMon can decrypt password-protected executables.[107]

S0013 PlugX

PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.[108]

S0428 PoetRAT

PoetRAT has used LZMA and base64 libraries to decode obfuscated scripts.[109]

S0518 PolyglotDuke

PolyglotDuke can use a custom algorithm to decrypt strings used by the malware.[54]

S0223 POWERSTATS

POWERSTATS can deobfuscate the main backdoor code.[98]

S0279 Proton

Proton uses an encrypted file to store commands and configuration values.[110]

S0196 PUNCHBUGGY

PUNCHBUGGY has used PowerShell to decode base64-encoded assembly.[111]

S0269 QUADAGENT

QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.[112]

S0565 Raindrop

Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample.[10][113]

S0458 Ramsay

Ramsay can extract its agent from the body of a malicious document.[114]

S0495 RDAT

RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.[115]

S0511 RegDuke

RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.[54]

S0375 Remexi

Remexi decrypts the configuration data using XOR with 25-character keys.[116]

S0496 REvil

REvil can decode encrypted strings to enable execution of commands and payloads.[117][118][119][120][121][122]

S0258 RGDoor

RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.[123]

S0448 Rising Sun

Rising Sun decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.[124]

G0106 Rocke

Rocke has extracted tar.gz files after downloading them from a C2 server.[125]

S0270 RogueRobin

RogueRobin decodes an embedded executable using base64 and decompresses it.[126]

G0034 Sandworm Team

Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.[127][128]

S0461 SDBbot

SDBbot has the ability to decrypt and decompress its payload to enable code execution.[129][130]

S0596 ShadowPad

ShadowPad has decrypted a binary blob to start execution.[131]

S0140 Shamoon

Shamoon decrypts ciphertext using an XOR cipher and a base64-encoded string.[132]

S0546 SharpStage

SharpStage has decompressed data received from the C2 server.[133]

S0444 ShimRat

ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.[134]

S0589 Sibot

Sibot can decrypt data received from a C2 and save to a file.[62]

S0468 Skidmap

Skidmap has the ability to download, unpack, and decrypt tar.gz files .[135]

S0226 Smoke Loader

Smoke Loader deobfuscates its code.[136]

S0516 SoreFang

SoreFang can decode and decrypt exfiltrated data sent to C2.[137]

S0543 Spark

Spark has used a custom XOR algorithm to decrypt the payload.[138]

S0390 SQLRat

SQLRat has scripts that are responsible for deobfuscating additional scripts.[139]

S0188 Starloader

Starloader decrypts and executes shellcode from a file called Stars.jps.[140]

S0562 SUNSPOT

SUNSPOT decrypts SUNBURST, which was stored in AES128-CBC encrypted blobs.[141]

S0560 TEARDROP

TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.[142][143][113]

G0027 Threat Group-3390

During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[144]

S0266 TrickBot

TrickBot decodes the configuration data and modules.[145][146]

G0081 Tropic Trooper

Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload.[147][148]

S0436 TSCookie

TSCookie has the ability to decrypt, load, and execute a DLL and its resources.[149]

G0010 Turla

Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads.[150]

S0263 TYPEFRAME

One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value "0x35".[151]

S0386 Ursnif

Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.[152]

S0476 Valak

Valak has the ability to decode and decrypt downloaded files.[153][154]

S0257 VERMIN

VERMIN decrypts code, strings, and commands to use once it's on the victim's machine.[155]

S0180 Volgmer

Volgmer deobfuscates its strings and APIs once its executed.[156]

S0579 Waterbear

Waterbear has the ability to decrypt its RC4 encrypted payload for execution.[157]

S0515 WellMail

WellMail can decompress scripts received from C2.[158]

S0514 WellMess

WellMess can decode and decrypt data received from C2.[159][160][161]

S0466 WindTail

WindTail has the ability to decrypt strings using hard-coded AES keys.[162]

S0430 Winnti for Linux

Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.[163]

G0090 WIRTE

WIRTE has decoded a base64 encoded document which was embedded in a VBS script.[164]

S0388 YAHOYAH

YAHOYAH decrypts downloaded files before execution.[165]

S0251 Zebrocy

Zebrocy decodes its secondary payload and writes it to the victim’s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads.[166][167]

S0230 ZeroT

ZeroT shellcode decrypts and decompresses its RC4-encrypted payload.[168]

S0330 Zeus Panda

Zeus Panda decrypts strings in the code during the execution process.[169]

G0128 ZIRCONIUM

ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.[170]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as certutil.

Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

References

  1. Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.
  2. Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.
  3. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  4. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  5. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  6. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  7. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  8. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  9. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  10. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  11. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  12. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  13. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  14. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  15. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  16. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  17. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  18. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  19. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  20. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  21. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  22. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  23. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  24. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  25. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  26. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  27. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  28. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  29. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  30. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  31. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  32. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  33. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
  34. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  35. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  36. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  37. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
  38. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  39. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  40. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  41. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
  42. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  43. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  44. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  45. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  46. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  47. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  48. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
  49. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  50. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.
  51. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.
  52. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  53. Microsoft. (2017, October 15). Expand. Retrieved February 19, 2019.
  54. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  55. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  56. FinFisher. (n.d.). Retrieved December 20, 2017.
  57. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  58. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  59. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
  60. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  61. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  62. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  63. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  64. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  65. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  66. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.
  67. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  68. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  69. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  70. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  71. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  72. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  73. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  74. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  75. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  76. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  77. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
  78. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  79. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  80. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
  81. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  82. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  83. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  84. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  85. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  1. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  2. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  3. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  4. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  5. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  6. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  7. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  8. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
  9. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  10. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  11. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  12. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
  13. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  14. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
  15. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  16. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  17. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  18. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  19. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  20. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  21. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  22. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  23. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  24. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
  25. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  26. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  27. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  28. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  29. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  30. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  31. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  32. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.
  33. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  34. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  35. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  36. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  37. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  38. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  39. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  40. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  41. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  42. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  43. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
  44. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  45. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  46. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  47. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  48. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  49. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  50. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  51. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  52. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  53. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
  54. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  55. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  56. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  57. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  58. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.
  59. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  60. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  61. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  62. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.
  63. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  64. Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  65. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  66. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  67. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
  68. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  69. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  70. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  71. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  72. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  73. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  74. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  75. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
  76. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  77. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
  78. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  79. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  80. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  81. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  82. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  83. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  84. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
  85. Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021.